If I'm not mistaken, Same Origin Policy is enforced by the browser on scripting languages.
So I can write a console application and send requests to your server, but if I tried it through an AJAX call in JavaScipt, then I should get an error...
If I put your site in an iframe and tried to access that iframe using JavaScript, then I should get an error...

Just remember that it is not enforced by your server, it is enforced in the browser.

Then it will connect to your server. This really isn't a problem as long as you have a login system. If you have a login system the only data they can recieve is data that is sent to all clients that is suppose to be public and any data it sends that has to be logged in tehy would need to log in. If your server checks for bad data then even if they modify the page to send "hack/cheat" data your server should see that and kick them off.

I have found that if you do the realtive path for serving the socket.io.js file then if the page is not coming from your hosting server then it will not connect. (This could be a bug in node.js/socket.io and it may not work like this for everyone) but if I do realtive path then move the client to another host(making no changes), and try to connect it will not connect.

I would like to know if someone could simply Copy the source code of my Game.

Yes. They can just do view->source and follow the src urls to grab the JS files.

Then paste the code on his own website.

Yes, they could certainly do that. They don't even need a webserver, they can just copy and run the code from their desktop.

And access my Server via his website since he has my server IP now?

They don't even need to download your code to find your server IP. All they need to do is run "netstat" or, just ping your domain name (DNS will resolve your name to an IP). Think of your IP as a street address which is publicly visible. Who cares who knows your address when you've got a lock on the door?

Now, you do NOT want to do username and password authentication in Javascript. Javascript is a client side scripting language, so assume that your users will be able to read all of your code. You want to do user validation on the serverside through a server side scripting language, such as PHP, ASP, etc. Ideally, the usernames and passwords are stored in a database as hashed values. Your server side validation script will verify that the refering URL is your own domain, then it will grab the username and password, hash them, and then connect to the database and see if there's a stored hash match. If a match is found, the user is authenticated and you can start a server side session in order to maintain state variables between pages. I've barely hit the wavetops on how to do web security (good security will handle SQL injection attacks, start an HTTPS session before sending account info across the wire, etc).